Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA)[1] was enacted by Congress in 1986 as an amendment to existing computer fraud law (18 U.S.C.§ 1030), which had been included in the Comprehensive Crime Control Act of 1984. It was written to clarify and increase the scope of the previous version of 18 U.S.C.§ 1030 while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature." (see "Protected Computer", below). In addition to clarifying a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial of service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items.[1]

The Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act.

In January 2015 Barack Obama proposed expanding the CFAA and the RICO Act in his Modernizing Law Enforcement Authorities to Combat Cyber Crime proposal.[2]DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren have stated opposition to this on the grounds it will make many regular Internet activities illegal, and moves further away from what they were trying to accomplish with Aaron's Law.[3][4]

exclusively for the use of a financial institution or the United States Government, or any computer, when the conduct constituting the offense affects the computer's use by or for the financial institution or the Government; or

which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States...

In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the inter-state nature of most internet communication.[5]

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(B) information from any department or agency of the United States; or

(C) information from any protected computer;

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(5)

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—

(A) such trafficking affects interstate or foreign commerce; or

(B) such computer is used by or for the Government of the United States;

(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—

(A) threat to cause damage to a protected computer;

(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or

(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion[6]

18 U.S.C.§ 1030(a)(1): Computer Espionage. This section takes much of its language from the Espionage Act of 1917, with the notable addition being that it also covers information related to "Foreign Relations", not simply "National Defense" like the Espionage Act.

United States v. Riggs, brought against people associated with Phrack magazine for obtaining a document (known as the "E911 document") about information on BellSouth products implementing 911 emergency telephone services, a case described in Bruce Sterling's "Hacker Crackdown of 1990". The government dropped the case after it was revealed that the document was on sale by AT&T for $13.

United States v. Morris (1991), 928 F.2d 504, decided March 7, 1991. After the release of the Morris worm, an early computer worm, its creator was convicted under the Act for causing damage and gaining unauthorized access to "federal interest" computers. The Act was amended in 1996, in part, to clarify language whose meaning was disputed in the case.[7]

Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit), holding that the use of a civil subpoena which is "patently unlawful," "in bad faith," or "at least gross negligence" to gain access to stored email is a breach of both the CFAA and the Stored Communications Act.[8]

LVRC Holdings v. Brekka, 2009 1030(a)(2), 1030(a)(4), in which LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business.[10][11]

Robbins v. Lower Merion School District (U.S. Eastern District of Pennsylvania), where plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, violating the Act. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.[12][13]

People v. SCEA, 2010. Class action lawsuit against Sony for removing OtherOS, the ability to install and run Linux (or other operating systems) on the PlayStation 3. Consumers were given the option to either keep OtherOS support or not. SCEA was allegedly in violation of this Act because if the consumers updated or not, they would still lose system functionality.[16]

United States v. Drake, 2010. Drake was part of a whistle-blowing effort inside the NSA to expose waste, fraud, and abuse with the Trailblazer Project. He talked to a reporter about the project. He was originally charged with five Espionage Act counts for doing this. These charges were dropped just before his trial was to begin, and instead he pleaded guilty to one misdemeanor count of violating the CFAA, (a)(2), unauthorized access.

Grand Jury investigation in Cambridge, 2011. Unknown persons were listed in Grand Jury hearings in Cambridge, Massachusetts, regarding potential charges under the CFAA, as well as the Espionage Act. Journalist Glenn Greenwald has written these were likely related to Wikileaks.[18]

United States v. Aaron Swartz, 2011. Aaron Swartz allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from JSTOR. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. He was indicted for violating CFAA provisions (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI).[21] The case was dismissed after Swartz committed suicide in January 2013.[22]

United States v. Nosal, 2011. Nosal and others allegedly accessed a protected computer to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4)[24][25] This is a complex case with two trips to the Ninth Circuit, and another seen as likely after the latest conviction in 2013.[26]

Lee v. PMSI, Inc., 2011. PMSI, Inc. sued former employee Lee for violating the CFAA by browsing Facebook and checking personal email in violation of the company's acceptable use policy. The court found that breaching an employer's acceptable use policy was not "unauthorized access" under the act and, therefore, did not violate the CFAA.

United States v Nada Nadim Prouty, circa 2010.[32] Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a U.S. attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship.[33]

United States v. Neil Scott Kramer, 2011. Kramer was a court case where a cellphone was used to coerce a minor into engaging sex with an adult. Central to the case was whether a cellphone constituted a computer device. Ultimately, the United States Court of Appeals for the Eighth Circuit found that a cell phone can be considered a computer if "the phone perform[s] arithmetic, logical, and storage functions", paving the way for harsher consequences for criminals engaging with minors over cellphones.[34]

United States v. Kane, 2011. Exploiting a software bug in a poker machine does not constitute hacking[35] because the poker machine in question was not a “protected computer” under the statute (not being connected to the Internet it was judged not to qualify as "protected computer" affecting interstate commerce) and because the sequence of button presses that triggered the bug were considered "not exceed their authorized access." As of November 2013[update] the defendant still faces a regular wire fraud charge.[36]

Craigslist v. 3Taps, 2012. 3Taps was accused by Craigslist of breaching CFAA by circumventing an IP block in order to access Craigslist's website and scrape its classified ads without consent. In August 2013, US federal judge found 3Taps's actions violated CFAA and that it faces civil damages for “unauthorized access”. Judge Breyer wrote in his decision that "the average person does not use “anonymous proxies” to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter".[37][38] He also noted "Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public v. nonpublic distinction — but [the relevant section] contains no such restrictions or modifiers."[39]

The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute. It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute.

Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.

When our laws need to be modified, Congress has a responsibility to act. A simple way to correct this dangerous legal interpretation is to change the CFAA and the wire fraud statutes to exclude terms of service violations. I will introduce a bill that does exactly that.

In the wake of the prosecution and subsequent suicide of Aaron Swartz, lawmakers have proposed to amend the Computer Fraud and Abuse Act. Representative Zoe Lofgren has drafted a bill that would help "prevent what happened to Aaron from happening to other Internet users".[40] Aaron's Law (H.R. 2454, S. 1196[41]) would exclude terms of service violations from the 1984 Computer Fraud and Abuse Act and from the wire fraud statute, despite the fact that Swartz was not prosecuted based on Terms of Service violations.[42]

In addition to Lofgren, Representative Darrell Issa and Representative Jared Polis—all on the House Judiciary Committee, raised questions about the government's handling of the case. Polis called the charges "ridiculous and trumped up," while referring to Swartz as a "martyr."[43] Issa, also chair of the House Oversight Committee, announced that he is investigating the actions of the Justice Department's prosecution.[43][44]

As of May 2014, Aaron's Law was stalled in committee, reportedly due to tech company Oracle's financial interests.[45]

Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers;

Eliminated the requirement that the defendant’s action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law;

Expanded 18 U.S.C.§ 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim's computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer;

Created a criminal offense for conspiring to commit a computer hacking offense under section 1030;

Broadened the definition of “protected computer” in 18 U.S.C.§ 1030(e)(2) to the full extent of Congress’s commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and

Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.